Loyalty Programs & Fraud: What You Need to Know

Loyalty program fraud can cost travelers and providers a fortune. Here's how to protect yourself.

It’s difficult to get your head around the numbers in the dark market of loyalty fraud.

But, when more than 70% of a $14 trillion market is at risk of being robbed overnight with just a quick phone call or a few clicks of the keyboard, it’s time to pay attention.

Points aren’t just scores, and miles are more than distance traveled. Loyalty program credits are currency, every bit as good as cash. This high-value, unregulated currency is under attack from fraudsters, who exploit the loopholes and security gaps of the banks where points and miles accounts are stored.

“These crimes are valued less by the authorities because there’s no real money,” CellPoint Mobile CEO Kristian Gjerding explains. “It’s a legal gray zone, because you can’t call the police or prosecute as you would with other crimes.” Gjerding cites figures from Consumer Reports: “Worldwide, more than 70 frequent flyer programs have about 300 million members.” There’s a lot to steal and a lot of potential victims of fraud. Learn to crack one system, and it’s easy to crack others. All of them have common vulnerabilities. And in each one, there are millions of accounts to steal from.

Michael Smith of Airline Information, a group that organizes air travel industry conferences and events, says that 72% of airline loyalty programs have been prey to fraudsters. (Just this week, the popular Hilton HHonors program was hacked, with one customer losing 250,000 points.) He agrees with Gjerding about the difficulties of getting the authorities to respond, and understands that it’s hard for many to think of points and miles as currency. “Miles were already the fourth-biggest currency in the world years ago,” he tells us. Smith points out that not only can points and miles be exchanged for goods and services, but, in some programs, they can even be redeemed as cash.

The worst part of this criminal activity is that it often goes undetected. “Surveys suggest that 80% of fraud is discovered by accident,” Smith says. An airline or hotel may not be aware of any issue with an account until a customer complains. While the formal response could be that the member is responsible for the security of his account, Smith points out that this puts the company operating the loyalty program in the awkward position of telling a prized customer that they are out of luck.

Types of Fraud

Miles and points fraud can be grouped into three main categories: fraud by employees, fraud by business partners, and fraud by criminal organizations. The first two categories of fraud have plagued loyalty programs for many years, with mixed responses by the companies running the programs to tighten security. The third has emerged more recently and is a booming business.

Staff, such as call center agents, flight attendants, and check-in desk staff, can credit miles to their personal accounts when travelers have no program affiliation or fail to use it. Business partners, such as travel agents, can do the same. Members themselves can commit fraud by double-dipping on claims for mileage for the same trip, claiming miles from two airline partners for a revenue-share ticket, for example.

The professional fraudsters — the criminal enterprises arising in the market expressly to take a chunk out of these unregulated virtual banks — collect legitimate miles into fictitious accounts with similar names to legitimate accounts, and manipulate systems to take over the identities of unsuspecting travelers. The exposure to loyalty program identity theft is significant. As Smith tells us, because the sensitive data required to manipulate the account is out in the open, it is ready for exploitation.

Professional hackers who support criminal enterprises don’t need to walk the terminal combing for abandoned boarding passes to find sensitive information ready for exploitation. They can do so from the comfort of their chair, in the anonymity of their cyber life, and loyalty members give them all the data they need, just by being social. “Fraudsters can use email accounts, and social media profiles to reverse-engineer an identity,” Smith points out. Banks and other financial institutions have responded with more complex methods of verification, but many of the companies offering loyalty programs haven’t kept up with the changing pace.

What's Being Done

CellPoint Mobile has worked with financial institutions to address these data-gaps, and transferred that experience into the development of more responsive verification systems which address these vulnerabilities in loyalty programs. “We use multi-factor authentication, and data-profiling modules which monitor activity profiles of the accounts and activity around the account” Gjerding says. “The rule sets based on that data monitor transactions for suspicious activities commonalty linked to fraud. We’ll do a cell phone check to ensure that it is associated with the account, for example. We may use credit card validation, unique SIMs on phones and unique credit cards.”

Whatever the methodology, awareness of the vulnerability is the first big step forward for loyalty programs and for their members.

“Some airlines are aware of the standard problems, some are savvier, but all airlines are potential targets,” Smith says. The only way for travelers to protect themselves, he suggests, is vigilance. He suggests travelers manage their loyalty accounts, and the data associated with them, as carefully as they manage access to their personal bank accounts.

Miles and points are currency, Smith emphasizes, every bit as much as the dollar or euro or yen. They can be used for many real-world financial transactions, everything ranging from travel to shopping to cash. Either we treat them as carefully as money, or we stand to lose a fortune.